BKDR_ATADOMMO.C
W32/Simda.B!tr (Fortinet), Trojan-Spy.Win32.Zbot (Ikarus), Backdoor:Win32/Atadommoc.C (Microsoft), a variant of Win32/Injector.YQX trojan (NOD32)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
53,248 bytes
EXE
08 Nov 2012
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following files:
- {All Users' Profile}\Application Data\COMMON.DATA
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
AutoStart = {Malware Path}
Backdoor Routine
This backdoor opens the following port(s) where it listens for remote commands:
- 8080
Other Details
This backdoor connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.29.115
- {BLOCKED}.{BLOCKED}.179.11
- {BLOCKED}.{BLOCKED}.179.117
- {BLOCKED}.{BLOCKED}.216.50
- {BLOCKED}.{BLOCKED}.184.90
- {BLOCKED}.{BLOCKED}.243.58
- {BLOCKED}.{BLOCKED}.196.41
- {BLOCKED}.{BLOCKED}.121.164
- {BLOCKED}.{BLOCKED}.243.136
NOTES:
{Malware Path} is a variable location. It is the location of the BKDR_ATADOMMO.C executable and will vary according to where the executable has been installed.